A Novel Computer Virus Propagation Model under Security Classification

Zhu, Qingyi; Cen, Chen

doi:https://doi.org/10.1155/2017/8609082

Discrete Dynamics in Nature and Society

On this page

Abstract Introduction Model Formulation Conclusions Conflicts of Interest Acknowledgments References Copyright Related Articles

Special Issue

Epidemic Processes on Complex Networks

View this Special Issue

Research Article | Open Access

Volume 2017 | Article ID 8609082 | https://doi.org/10.1155/2017/8609082

A Novel Computer Virus Propagation Model under Security Classification

Qingyi Zhu¹and Chen Cen²

Academic Editor: Jose R. C. Piqueira

Received28 Feb 2017

Revised30 Apr 2017

Accepted02 May 2017

Published25 May 2017

Abstract

In reality, some computers have specific security classification. For the sake of safety and cost, the security level of computers will be upgraded with increasing of threats in networks. Here we assume that there exists a threshold value which determines when countermeasures should be taken to level up the security of a fraction of computers with low security level. And in some specific realistic environments the propagation network can be regarded as fully interconnected. Inspired by these facts, this paper presents a novel computer virus dynamics model considering the impact brought by security classification in full interconnection network. By using the theory of dynamic stability, the existence of equilibria and stability conditions is analysed and proved. And the above optimal threshold value is given analytically. Then, some numerical experiments are made to justify the model. Besides, some discussions and antivirus measures are given.

1. Introduction

With the rapid development of the Internet, the spread of computer virus has brought a lot of potential safety problems, which not only caused huge waste to the network resources but also harmed the interests of individuals and the masses. The traditional way of antivirus is constantly updating the virus library of antivirus software. But it is a passive mechanism to prevent viruses. In this context, the macroscopical study of computer virus propagation is regarded as a very important approach to antivirus and has received more and more attention from scholars.

In 1991, Kephart and White firstly used the model of biological infectious virus to study the spread of computer viruses [1]. Since then, a lot of dynamical models of computer virus have been presented. These models can be simply divided into two broad categories: homogeneous models and heterogeneous models according to according to whether the network is fully connected or not.

In recent years, more and more scholars have begun to study heterogeneous models. Kjaergaard and his partners followed the time evolution of information propagation through communication networks by using the susceptible-infected (SI) model with empirical data on contact sequences [2]. Castellano and Pastor-Satorras studied the threshold of epidemic models in quenched networks with degree distribution given by a power-law for the susceptible-infected-susceptible (SIS) model [3]. Zhu et al. investigated a new epidemic SIS model with nonlinear infectivity, as well as birth and death of nodes and edges [4]. Taking into account the power-law degree distribution of the Internet, Yang et al. proposed a novel epidemic model of computer viruses and presented the spreading threshold for the model [5]. L.-X. Yang and X. Yang proposed an epidemic model of computer viruses over a reduced scale-free network [6]. Yang and his partners proposed a node-based susceptible-latent-breaking-susceptible (SLBS) model which addresses the impact of the structure of the viral propagation network on the viral prevalence [7]. To understand the impact of available information in the control of malicious network epidemics, Mishra and three others proposed a type differential epidemic model, where the differentiability allows a symptom based classification [8]. All these models assume that the spread of viruses can only be through the topological neighbors.

In fact, a lot of viruses can propagate without dependence on the topology, such as Code Red (2001), Slammer (2003), Blaster (2003), Witty (2004), and Conficker (2009). By probing the entire IPv4 space or localized IP addresses, these viruses can infect an arbitrary vulnerable computer. In this condition, the propagation network can be regarded as fully connected. Besides, there are still some fully interconnected networks, such as virtual cluster in cloud [9–12]. So the study of homogeneous models is also an important branch of computer virus dynamical models. A portion of infected external computers could enter the Internet and removable storage media could carry viruses, based on the two facts. Gan et al. established a series of dynamical models [13–16]. Amador and Artalejo investigated the dynamics of computer virus spreading by considering a stochastic SIRS model where immune computers send warning signals to reduce the propagation of the virus among the rest of computers in the network [17]. Liu and Zhong presented and analyzed an SDIRS model describing the propagation of web malware based on the assumption of homogeneity [18]. Yuan and three others presented a nonlinear force of infection function for e-SEIR model to study the crowding and psychological effects in network virus prevalence [19].

In order to protect the security and stability of information systems, the concept of information security classified protection is proposed and has been a basic strategy of construction of national information. But to our knowledge, nearly all previous models describing the spread of computer viruses ignore the impacts of security classifications. In order to study how these factors affect the spread of computer viruses on the Internet, this paper proposes a novel computer virus propagation model. A thorough analysis of this model shows that some equilibria existed and are globally asymptotically stable in a specific situation. Besides, some simulation experiments are performed to examine the conclusion got from this model. In the end, some effective strategies for controlling virus spreading are recommended.

The subsequent materials are organized in this fashion: The idea of modeling is introduced in Section 2. The new model is established in Section 3. The analysis of four equilibria is addressed in Section 4. The local and global stabilities of these equilibria are investigated in Sections 5 and 6, respectively. Simulation experiments and some discussions are presented in Section 7. Finally, this work is outlined in Section 8.

2. Idea of Modeling

In a security classification network, blindly increasing the security level of computer will result in both waste of resource and increase of cost. Therefore, reinforcing the security level of computer must be targeted. About security classification of computer, the influential criteria are “Trusted Computer System Evaluation Criteria (TcsEC)” issued by United States Department of Defense [20]. By using these criteria, computers in the network can be divided into four divisions. From high to low, they are Levels A, B, C, and D, respectively.

Low Security Level: Divisions D and C. In this level, it is reserved for those systems that have been evaluated but that fail to meet the requirements for a higher evaluation class. Classes in this level provide for discretionary (need-to-know) protection and it can only provide a review of protection.

High Security Level: Divisions B and A. The security-relevant sections of a system are mentioned throughout this document as the Trusted Computing Base (TCB) [21]. Computers in this level must carry the sensitivity labels with most data structures in the system and the system developer should provide the security policy model based on TCB. By using formal security verification methods, this level requires that each operation in the system must have a formal documentation and can only be made by the administrator.

Obviously, computers with low security level are more likely to be infected by virus. This is the first breakthrough point for modeling.

In the network with security classification, administrators usually do not take any measures to upgrade the computers with low security level if there are only few threats for the sake of cost. With the increase of the infected computers number in the network, the administrators will upgrade the security level of computers ultimately. Here we assume that there exists a threshold value. If the number of infected computers is above the threshold value, some countermeasures will be taken to level up the security of a fraction of computers with low security level. Further, assume that the probability of taking upgrading measures for one uninfected computer is proportional to the number of infected computers. The flow diagram in Figure 1 can briefly express these operations. How the threshold value and the fraction of upgraded computers affect the propagation of computer virus is the concern in this paper.

3. Model Formulation

According to the situation of computer virus infection and the level of computer security, all computers in the network are divided into three compartments.(a)-compartment: the set of uninfected or susceptible computers in low security level(b)-compartment: the set of uninfected or susceptible computers in high security level(c)-compartment: the set of infected computersFor the modeling purpose, a series of parameters are introduced and some assumptions are made.(1)One can assume that the average probabilities per unit time of and computers connecting to the network are and , respectively.(2)Every computer in the system is got out for some reasons with the average probability per unit time , where is positive constant.(3)Due to possible contact with infected computers in the network, every and computer is infected with the average probabilities and per unit time, respectively, where and are positive constant and .(4)Assume that one computer becomes an computer (or an computer) with the average probability per unit time (or ), where are positive constants.(5)As mentioned in Section 2, the upgrading probability of an computer is denoted by a piecewise function . The expression of is as follows: denotes the threshold value and denotes the a fraction of upgrading computers.Let , , and denote, at time , the average numbers of -, -, and -compartment computers, respectively. Let denote the total number of all computers in the system at time . Unless otherwise stated in the following content, they will be abbreviated as , , , and , respectively. Then, . The collection of the above parameters and assumptions can be schematically depicted in Figure 2, from which the dynamical model is formulated as the following differential system: Considering that , system (2) can be reduced to the following system:

Solving the first equations of system (3), it is easy to obtain . Therefore, system (3) can be reduced to the following limiting system [22, 23]: The feasible region for system (4) iswhich is positively invariant.

4. Equilibria

In this section, all equilibria of system (4) are calculated. To obtain all potential equilibria, system (4) can be written asFrom (6) the fact that there always exists a virus-free equilibrium can be got: and the basic reproduction number is LetThe quadratic equation of can be got from system (6) and (7) as follows:Considering that , are the roots of (13) and , are the roots of (14) (), the solution of (6) and (7) can be got as follows: (13) and (14) can be deduced as follows: because of and . Then Assuming , then and , which contradicts with (17). So . In the same way, one can get

Theorem 1. There are only two viral equilibria and in this model if (1);(2);(3).

Proof. System (13) has two real roots if . From (10) one can get that if ; then . So the fact that if can be got (in the same way, the fact that can be got if , ) and there are only two viral equilibria if from (18).

Theorem 2. System (4) has only three viral equilibria , , and if (1);(2);(3);(4).

Proof. Like the proof of Theorem 1, it does not need to be stated.

Theorem 3. System (4) has only one viral equilibrium if (1);(2).

Proof. One can get if and . So and . Then the fact that only existed if from (18) can be got.

5. The Local Stability Analysis

To examine the local stability of the equilibria of system (4), its Jacobian matrices should be got as follows:

Theorem 4. is locally asymptotically stable if .

Proof. The associated characteristic equation of can be got from as follows:Then Based on the Lyapunov theorem [24], only if are all eigenvalues of (17) negative. At this situation, is locally asymptotically stable.

Theorem 5. is locally asymptotically stable if system (4) follows Theorem 1 or 2 or 3.

Proof. The associated characteristic equations of can be got from as follows:where The associated characteristic equations of can be got from as follows: where ; the Hurwitz criterion follows [24], so is locally asymptotically stable.

6. The Global Stability Analysis

This section will discuss the global stability of the equilibrium of system (4). To get global stability, let us investigate the following lemmas.

Lemma 6. For system (4), there is no periodic solution in the interior of .

Proof. Let and thenThus, the claimed result follows from the Bendixson-Dulac criterion [24].

Lemma 7. For system (4), there is no periodic solution that passes through a point on , the boundary of .

Proof. Consider an arbitrary point (), on the boundary of . From (5), consists of the following three possibilities: (a). Then , , and , (b), . Then .(c). Then . In view of the orbit smoothness, combining the above discussions can get the claimed result.

In view of Lemmas 6 and 7 and Theorems 3–5, the main result of this section can be got as follows.

7. Numerical Examples and Discussions

In this section, some numerical examples are used to verify the results obtained in the previous section.

Example 1. Suppose , , , , , , , , and . In this situation, , . Some trajectories of initial points are displayed in Figure 3(a) and the time plots about two of them are shown in Figures 3(b) and 3(c). In Figure 3(a), the blue dashed line divides into (above the blue dashed line) and (under the blue dashed line). The initial points in are finally stable at and in are finally stable at , which complies with the third rows of Table 2. And the abbreviation notations of Table 2 are shown in Table 1.

(a)

(b)

(c)

Example 2. Suppose , , , , , , , , and . In this situation, . Some trajectories of initial points are displayed in Figure 4(a) and the time plots about two of them are shown in Figures 4(b) and 4(c). In Figure 4(a), the blue dashed line divides into (above the blue dashed line) and (under the blue dashed line). The initial points in are finally stable at and in are finally stable at , which complies with lines 4-5 of Table 2.

(a)

(b)

(c)

Example 3. Suppose , , , , , , , , and . In this situation, and there is only in the system. Some trajectories of initial points are displayed in Figure 5(a) and the time plots about two of them are shown in Figures 5(b) and 5(c). The initial points in are finally stable at , which complies with line 2 of Table 2.

(a)

(b)

(c)

Example 4. Suppose , , , , , , , , and . In this situation, . Some trajectories of initial points are displayed in Figure 6(a) and the time plots about two of them are shown in Figures 6(b) and 6(c). The initial points in are finally stable at , which complies with line 6 of Table 2.

(a)

(b)

(c)

Example 5. Suppose , , , , , , , , and . In this situation, . Some trajectories of initial points are displayed in Figure 7(a) and the time plots about two of them are shown in Figures 7(b) and 7(c). The initial points in are finally stable at , which complies with the last row of Table 2.

(a)

(b)

(c)

By introducing random factors and model adaptive behavior, a series of simulations run are used to approximate closer to actual worm propagation due to the unavailability of real-world data. Hosts (used IP addresses) here appear as abstractions in the simulations. Instead of modeling various operating systems and services, each host is simply considered to be one of the following: susceptible nodes with high security level, susceptible nodes with low security level, and infected nodes. Here a complete network with initial 10000 nodes is applied for numerical evaluation. And we focus on how the mechanisms of security classification and intervention affect the propagation of network viruses. So we simulate three scenarios for the spread of viruses: non-SC non-INTVIN scenario, with SC non-INTVIN scenario, and with SC and INTVIN scenario (see Figure 8), where SC and INTVIN are short for security classification and intervention, respectively. And the parameters and determine when to intervene and the strength of interventions, respectively. For evaluation purpose, the values of the model parameters are set as follows: , , , , , , , and other parameters are shown in Figure 8. In general, simulation results show that the intervention mechanism proposed in this paper can be applied to curbing the spread of virus effectively. Moreover, a large number of simulations are conducted to study how the combination of and affects the propagation scale (see Figure 9). Obviously, the earlier (the lower ) and stronger (the higher ) the intervention is introduced, the fewer the nodes finally get infected. We divide the parameter subspace into two parts, numbered as A and B (as shown in Figure 9). Simulation results lead the following conclusion.(1)If , the value of (defined in Figure 9) only depends on the value of . So in Figure 8 the number of infected nodes in scenarios with is the same as the one with , where , and it is higher than the one with and . More precisely, the value of decreases as increasing.(2)If , the value of only depends on the value of (4). So in Figure 8 the number of infected nodes in scenarios with is the same as the one with , where , and it is higher than the one with and . Note that does not always decrease with the increase of , because the intervention is never involved for large (see the dark black part for in Figure 9).

Remark 6. The simulations here do not take into account latency issues, hop-count, bandwidth limitations, and transfer times or connectivity issues. Since the scale of simulated network is quite small compared with the real Internet, all parameters are assumed on that scale. But the scale factor can also make the real-world more complex.
Table 2 suggests that, to eradicate viruses from the Internet, one should take necessary actions to control the system parameters so that is well below 1 and not let system meet the lines 3–5 of Table 2. After simple calculations, the following can be got: Thus, is increasing with and is decreasing with .

Based on the above discussions, an incomplete list of effective measures for users to contain the virus prevalence is presented below:(1)Timely acquire the updated versions of the antivirus software, so that the two infecting probabilities, and , are both reduced and the curing probabilities, and , are enhanced.(2)Do not connect computers to the Internet when unnecessary, so that the recruitment rate, , is lowered.(3)For both cost and security, let the threshold value of computer virus lead administrator to take measures to upgrade the security level approaching the value of stable infections in the stage of taking measures.

8. Conclusions

In this paper, we presented a novel intervention mechanism to restrain the virus spreading under the framework of security classification. The model reflects a realistic scenario how the intervention is applied when the number of infected nodes reaches the intervention threshold. Theoretical analysis and numerical evaluation are used to study how , affect the propagation behaviors. The main results are listed as follows: The dynamic behaviors of computer virus under security classification are different with common circumstance. Obviously, much higher security computers will lead to fewer infections. The earlier and the stronger the intervention is introduced, the fewer the nodes finally get infected. According to the brief parameter analysis, some other effective measures in reality are presented. Viewed from a real-world perspective, in order to make better use of this intervention mechanism, one of the most important things is how to detect the exact number of infected nodes. Although an in-depth discussion of this is outside this paper’s scope, we are forced to point out that the measured value is below the actual one. In this case, the actual value of intervention threshold must be set below the theoretical one.

Our future work will be focused on studying such intervention mechanism in heterogeneous networks, such as small-world network and scale-free network.

Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.

Acknowledgments

This work is supported by Chongqing Engineering Research Center of Mobile Internet Data Application, Scientific and Technological Research Program of Chongqing Municipal Education Commission (Grant nos. KJ1500415, KJ1400414, KJ1500434, and KJ1704080), Doctoral Scientific Research Foundation of Chongqing University of Posts and Telecommunications (Grant no. A2015-02), and the National Natural Science Foundation of China (no. 61672004).

References

J. O. Kephart and S. R. White, “Directed-graph epidemiological models of computer viruses,” in Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy, pp. 343–359, Oakland, Calif, USA, May 1991.
View at: Google Scholar
M. Kjaergaard, S. Brander, and F. M. Poulsen, “Small but slow world: how network topology and burstiness slow down spreading,” Physical Review E, vol. 83, no. 83, pp. 602–608, 2010.
View at: Google Scholar
C. Castellano and R. Pastor-Satorras, “Thresholds for epidemic spreading in networks,” Physical Review Letters, vol. 105, no. 21, Article ID 218701, 2010.
View at: Publisher Site | Google Scholar
G. Zhu, X. Fu, and G. Chen, “Global attractivity of a network-based epidemic SIS model with nonlinear infectivity,” Communications in Nonlinear Science and Numerical Simulation, vol. 17, no. 6, pp. 2588–2594, 2012.
View at: Publisher Site | Google Scholar | MathSciNet
L.-X. Yang, X. Yang, J. Liu, Q. Zhu, and C. Gan, “Epidemics of computer viruses: a complex-network approach,” Applied Mathematics and Computation, vol. 219, no. 16, pp. 8705–8717, 2013.
View at: Publisher Site | Google Scholar | MathSciNet
L.-X. Yang and X. Yang, “The spread of computer viruses over a reduced scale-free network,” Physica A: Statistical Mechanics and Its Applications, vol. 396, pp. 173–184, 2014.
View at: Publisher Site | Google Scholar | MathSciNet
L.-X. Yang, M. Draief, and X. Yang, “The impact of the network topology on the viral prevalence: a node-based approach,” PLoS ONE, vol. 10, no. 9, Article ID e0134507, 2015.
View at: Publisher Site | Google Scholar
B. K. Mishra, K. Haldar, and D. N. Sinha, “Impact of information based classification on network epidemics,” Scientific Reports, vol. 6, Article ID 28289, 2016.
View at: Publisher Site | Google Scholar
Z. Fu, X. Sun, Q. Liu, L. Zhou, and J. Shu, “Achieving efficient cloud search services: multi-keyword ranked search over encrypted cloud data supporting parallel computing,” IEICE Transactions on Communications, vol. E98B, no. 1, pp. 190–200, 2015.
View at: Publisher Site | Google Scholar
Q. Liu, W. Cai, J. Shen, Z. Fu, X. Liu, and N. Linge, “A speculative approach to spatial‐temporal efficiency with multi‐objective optimization in a heterogeneous cloud environment,” Security and Communication Networks, vol. 9, no. 17, pp. 4002–4012, 2016.
View at: Publisher Site | Google Scholar
G. Juve and E. Deelman, “Wrangler: Virtual cluster provisioning for the cloud,” in Proceedings of 20th ACM International Symposium on High-Performance Parallel and Distributed Computing, HPDC'11, pp. 277-278, San Jose, Calif, USA, June 2011.
View at: Publisher Site | Google Scholar
L. H. Zeng, B. F. Zhang, and L. H. Zhang, “Virtual cluster constructing based on cloud computing platform,” Microelectronics Computer, vol. 27, no. 8, pp. 31–39, 2010.
View at: Google Scholar
C. Gan, X. Yang, and Q. Zhu, “Propagation of computer virus under the influences of infected external computers and removable storage media: modeling and analysis,” Nonlinear Dynamics, vol. 78, no. 2, pp. 1349–1356, 2014.
View at: Publisher Site | Google Scholar | MathSciNet
C. Gan and X. Yang, “Theoretical and experimental analysis of the impacts of removable storage media and antivirus software on viral spread,” Communications in Nonlinear Science and Numerical Simulation, vol. 22, no. 1–3, pp. 611–622, 2014.
View at: Google Scholar
C. Gan, X. Yang, W. Liu, and Q. Zhu, “A propagation model of computer virus with nonlinear vaccination probability,” Communications in Nonlinear Science and Numerical Simulation, vol. 19, no. 1, pp. 92–100, 2014.
View at: Publisher Site | Google Scholar | MathSciNet
C. Gan, “Modeling and analysis of the effect of network eigenvalue on viral spread,” Nonlinear Dynamics, vol. 84, no. 3, pp. 1727–1733, 2016.
View at: Publisher Site | Google Scholar | MathSciNet
J. Amador and J. R. Artalejo, “Stochastic modeling of computer virus spreading with warning signals,” Journal of the Franklin Institute. Engineering and Applied Mathematics, vol. 350, no. 5, pp. 1112–1138, 2013.
View at: Publisher Site | Google Scholar | MathSciNet
W. Liu and S. Zhong, “Web malware spread modelling and optimal control strategies,” Scientific Reports, vol. 7, Article ID 42308, 2017.
View at: Publisher Site | Google Scholar
H. Yuan, G. Liu, and G. Chen, “On modeling the crowding and psychological effects in network-virus prevalence with nonlinear epidemic model,” Applied Mathematics and Computation, vol. 219, no. 5, pp. 2387–2397, 2012.
View at: Publisher Site | Google Scholar
L. Qiu, Y. Zhang, F. Wang, H. R. Mahajan, and M. Kyung, “Trusted computer system evaluation criteria,” Classified Information, 2007.
View at: Google Scholar
J. Noorman, P. Agten, W. Daniels et al., “Sancus: low-cost trustworthy extensible networked devices with a zero-software trusted computing base,” in Proceedings of the Usenix Conference on Security, pp. 479–494, 2013.
View at: Google Scholar
L.-X. Yang and X. Yang, “The effect of infected external computers on the spread of viruses: a compartment modeling study,” Physica A. Statistical Mechanics and Its Applications, vol. 392, no. 24, pp. 6523–6535, 2013.
View at: Publisher Site | Google Scholar | MathSciNet
H. R. Thieme, “Asymptotically autonomous differential equations in the plane,” The Rocky Mountain Journal of Mathematics, vol. 24, no. 1, pp. 351–380, 1994.
View at: Publisher Site | Google Scholar | MathSciNet
R. C. Robinson, An Introduction to Dynamical System: Continuous and Discrete, Prentice Hall, New Jersey, NJ, USA, 2004.

Copyright

Copyright © 2017 Qingyi Zhu and Chen Cen. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

2654

Downloads

1049

Citations